12.7 默認虛擬主機
1、編輯配置文件,刪除 server
[root@arslinux-01 conf]# vim /usr/local/nginx/conf/nginx.conf
刪除上圖紅色區塊部分內容
2、增加 include vhost/*.conf,將 server 這部分內容獨立到一個配置文件中
3、在 /usr/local/nginx/conf/ 下創建 vhost 目錄,進入該目錄,編輯 aaa.com.conf
[root@arslinux-01 conf]# mkdir vhost/ [root@arslinux-01 conf]# cd vhost/ [root@arslinux-01 vhost]# vim aaa.com.conf server { listen 80 default_server; server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default; }
4、創建 /data/wwwroot/default 目錄,在該目錄下編輯一個 html 文件
[root@arslinux-01 vhost]# mkdir -p /data/wwwroot/default/ [root@arslinux-01 ~]# cd /data/wwwroot/default/ [root@arslinux-01 default]# vim index.html This is the default site.
5、檢查配置文件,重新加載配置
[root@arslinux-01 vhost]# /usr/local/nginx/sbin/nginx -t //檢查語法 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 vhost]# /usr/local/nginx/sbin/nginx -s reload //重新加載配置
6、curl 測試
[root@arslinux-01 default]# curl localhost This is the default site.
之前訪問是默認頁,現在是編輯的內容
如果有錯,請查看nginx.con、aaa.com.conf等配置是否有誤
7、無論訪問什麼域名,只要解析過來,就能訪問默認站點
[root@arslinux-01 default]# curl -x127.0.0.1:80 aaa.com This is the default site. [root@arslinux-01 default]# curl -x127.0.0.1:80 bbb.com This is the default site. [root@arslinux-01 default]# curl -x127.0.0.1:80 bbbc.com This is the default site.
指定默認虛擬主機:
1、vhost aaa 或者 0 等順序
2、conf 裏指定 default_server
12.8 Nginx用戶認證
1、創建新的虛擬主機,編輯配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf server { listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; } }
2、使用 htpasswd 生成用戶名密碼(如果沒裝 apache,那麼可以 yum 安裝 htpasswd,第二個及之後的用戶不用加 -c)
[root@arslinux-01 ~]# /usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd arslinux New password: Re-type new password: Adding password for user arslinux [root@arslinux-01 ~]# cat /usr/local/nginx/conf/htpasswd arslinux:$apr1$jHiTfZoi$UU32/eJf/s4wKGMIkpZ4j/ [root@arslinux-01 ~]# /usr/local/apache2/bin/htpasswd /usr/local/nginx/conf/htpasswd user1 New password: Re-type new password: Adding password for user user1
3、檢測語法,重新加載
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
4、訪問
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com -I HTTP/1.1 401 Unauthorized Server: nginx/1.14.2 Date: Wed, 15 May 2019 14:30:43 GMT Content-Type: text/html Content-Length: 195 Connection: keep-alive WWW-Authenticate: Basic realm="Auth" [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 14:30:48 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
5、創建 test.com 目錄,目錄下創建 index.html,內容自定
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com [root@arslinux-01 ~]# echo "test.com" > /data/wwwroot/test.com/index.html
6、再次訪問
[root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com test.com
針對目錄限制
·如果需求爲訪問某個目錄才需要認證,那麼可以改配置文件
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
·不加用戶名密碼,訪問測試,可以訪問 test.com,但不能訪問 test.com/admin/
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com test.com [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/ <html> <head><title>401 Authorization Required</title></head> <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.14.2</center> </body> </html>
·創建/admin/目錄,並新建測試頁 index.html
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com/admin/ [root@arslinux-01 ~]# echo "test.com admin dir" > /data/wwwroot/test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/ <html> <head><title>401 Authorization Required</title></head> <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.14.2</center> </body> </html> [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com/admin/ test.com admin dir
針對 url 限制
·編輯配置文件,匹配 admin.php
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
·測試,/admin/目錄不需要認證,admin.php 需要認證,添加用戶認證,可以,只不過文件不存在而以
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin/ test.com admin dir [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/admin.php <html> <head><title>401 Authorization Required</title></head> <body bgcolor="white"> <center><h1>401 Authorization Required</h1></center> <hr><center>nginx/1.14.2</center> </body> </html> [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com/admin.php <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.14.2</center> </body> </html>
匹配admin.php後,/admin/不做限制,只針對admin.php進行限制
·創建一個 admin.php 文件,再次 curl,不會出現 404 錯誤
[root@arslinux-01 ~]# vim /data/wwwroot/test.com/admin.php <?php echo "This is admin.php test!"; [root@arslinux-01 ~]# curl -uarslinux:7231131 -x127.0.0.1:80 test.com/admin.php <?php echo "This is admin.php test!";
12.9 Nginx域名重定向
·Ngnix 支持跟多個 server_name
1、編輯 test.com.conf ,增加 server_name ——> test2.com
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
2、增加 rewrite,域名跳轉
如果不是test.com,那麼重定向到test.com下,permanent是301,redirect是302
3、測試,訪問 test2.com/index.html,跳轉到了 test.com/index.html
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:07:02 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:08:48 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:08:58 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:09:01 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
·無論後面是什麼,重定向之後和重定向之前保持一致,只是 / 之前改變
·test4.com 沒有定義在配置文件中,因此無法重定向
12.10 Nginx訪問日誌
1、在主配置文件中
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/nginx.conf
雖然紅框中有三行,但以分號爲結尾是一行,實際上是一行配置
combined_realip 定義日誌格式名字,此處定義成什麼,那麼後面引用時就要寫成什麼
·對應字段表示的含義
2、虛擬主機配置文件中
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload
3、訪問
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test4.com/admin/index.html -I HTTP/1.1 404 Not Found Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:16 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -x127.0.0.1:80 test3.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:18 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# curl -x127.0.0.1:80 test2.com/admin/index.html -I HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Wed, 15 May 2019 15:25:22 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: http://test.com/admin/index.html [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [15/May/2019:23:25:18 +0800] test3.com "/admin/index.html" 301 "-" "curl/7.29.0" 127.0.0.1 - [15/May/2019:23:25:22 +0800] test2.com "/admin/index.html" 301 "-" "curl/7.29.0"
12.11 Nginx日誌切割
日誌切割,藉助於系統工具,或者日誌切割的腳本
日誌切割腳本
[root@arslinux-01 ~]# vim /usr/local/sbin/nginx_logrotate.sh #! /bin/bash d=`date -d "-1 day" +%Y%m%d` logdir="/tmp/" nginx_pid="/usr/local/nginx/logs/nginx.pid" cd $logdir for log in `ls *.log` do mv $log $log-$d done /bin/kill -HUP `cat $nginx_pid`
d=`date -d "-1 day" +%Y%m%d` 爲了生成昨天的日期
logdir="/tmp/" 存放日誌的目錄
nginx_pid="/usr/local/nginx/logs/nginx.pid" 找pid爲了重新加載以便重新寫新的日誌(日誌pid)
cd $logdir 進入到日誌文件夾
for log in `ls *.log` 在運行目錄logdir下都有哪些文件,每個文件作爲一次循環的對象
do
mv $log $log-$d 所有log改名字,以昨天的日期爲後綴
/bin/kill -HUP `cat $nginx_pid` 重新加載,生成新的test.com.log
查看腳本執行過程 (sh -x 執行的同時查看執行過程)
[root@arslinux-01 ~]# sh -x /usr/local/sbin/nginx_logrotate.sh ++ date -d '-1 day' +%Y%m%d + d=20190515 + logdir=/tmp/ + nginx_pid=/usr/local/nginx/logs/nginx.pid + cd /tmp/ ++ ls test.com.log + for log in '`ls *.log`' + mv test.com.log test.com.log-20190515 ++ cat /usr/local/nginx/logs/nginx.pid + /bin/kill -HUP 7481
·一段時間後刪除早前的log文件
find /tmp/ -name *.log-* -type f -mtime +30 | xarge rm
添加任務計劃
[root@arslinux-01 ~]# crontab -e
0 0 * * * /bin/bash /usr/local/sbin/nginx_logrotate.sh
12.12 靜態文件不記錄日誌和過期時間
編輯配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~ 精準匹配 任意一個以 .gif或jpg或jpeg或png或bmp或swf 爲結尾的文件
expires 配置過期時間
access_log 是否記錄訪問日誌
由於配置過期時間不同,因此分開寫上下兩段,js|css和上面分開
·在 /data/wwwroot/test.com/ 下創建 1.gif 和 2.js 文件,然後訪問他們
[root@arslinux-01 ~]# echo "lkhlkjdahlfjkahd" > /data/wwwroot/test.com/1.gif [root@arslinux-01 ~]# echo "ddfafafaddfdeerr" > /data/wwwroot/test.com/2.js [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/1.gif lkhlkjdahlfjkahd [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js ddfafafaddfdeerr [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/index.html test.com [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/index.html test.com [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
訪問 .gif 和 .js 文件時不會記錄日誌
·如果js後面跟一些其他字符,那麼久無法匹配規則,因此會被記錄
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.jsdfsfs <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.14.2</center> </body> </html> [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:51:19 +0800] test.com "/2.jsdfsfs" 404 "-" "curl/7.29.0"
·信息中 Cache-Control:max-age=43200,如果在配置文件中去掉 expires,將不會有過期時間
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 12:50:41 GMT Content-Type: application/javascript Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:43 GMT Connection: keep-alive ETag: "5cdd5bb3-11" Expires: Fri, 17 May 2019 00:50:41 GMT Cache-Control: max-age=43200 Accept-Ranges: bytes
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/2.js -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 12:54:38 GMT Content-Type: application/javascript Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:43 GMT Connection: keep-alive ETag: "5cdd5bb3-11" Accept-Ranges: bytes
已經沒有了過期時間 max-age
12.13 Nginx防盜鏈
編輯配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$ { expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off; }
~* 表示不區分大小寫
url 是以()中的爲結尾
過期時間 7 天
訪問日誌是不記錄
設置白名單,如果不匹配,直接 return 403
測試
[root@arslinux-01 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:09:24 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 test.com/1.gif -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:09:30 GMT Content-Type: image/gif Content-Length: 17 Last-Modified: Thu, 16 May 2019 12:46:21 GMT Connection: keep-alive ETag: "5cdd5b9d-11" Expires: Thu, 23 May 2019 13:09:30 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes
防盜鏈配置成功
12.14 Nginx訪問控制
1、針對目錄
編輯配置文件,設置訪問控制
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
{ allow 127.0.0.1; allow 192.168.194.130; deny all; }
配置文件中的allow和deny:
這裏的 allow 和 deny 與 apache 中的 order 中的 allow 和 deny 規則不一樣
在 apache 中,如果先 allow 後 deny,那麼最終結果是 deny;
在 nginx 中,這裏 allow 是匹配機制,如果在 allow 中有能匹配的,那麼將不再執行下面的規則,
本例中,如果是 127.0.0.1 訪問,那麼匹配第一條 allow 之後,將不會再執行下面的;如果是127.0.0.2,
那麼前兩條都沒有匹配到,那麼會自然往下匹配第三條,會被deny。
[root@arslinux-01 ~]# curl -x192.168.194.130:80 test.com/admin/ -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:23:49 GMT Content-Type: text/html Content-Length: 19 Last-Modified: Wed, 15 May 2019 14:40:08 GMT Connection: keep-alive ETag: "5cdc24c8-13" Accept-Ranges: bytes
2、針對正則匹配
配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
} location ~ .*(upload|image)/.*\.php$ deny all; }
測試
[root@arslinux-01 ~]# mkdir /data/wwwroot/test.com/upload/ [root@arslinux-01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.php [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.14.2</center> </body> </html> [root@arslinux-01 ~]# echo "1111" > /data/wwwroot/test.com/upload/1.txt [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt 1111 [root@arslinux-01 ~]# cat /tmp/test.com.log 127.0.0.1 - [16/May/2019:20:47:45 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:48:24 +0800] test.com "/index.html" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:20:51:19 +0800] test.com "/2.jsdfsfs" 404 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:23:38 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 192.168.194.130 - [16/May/2019:21:23:49 +0800] test.com "/admin/" 200 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:33:28 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0" 127.0.0.1 - [16/May/2019:21:34:10 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"
upload 下,1.txt 可以訪問,但是 1.php 被禁止訪問
3、根據 user_agent 限制
網站被CC***,或想禁掉某些蜘蛛,或想做隱藏網站不想被人搜到
編輯配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') { return 403; }
deny all 和 return 403 效果一樣
測試
[root@arslinux-01 ~]# curl -A "YoudaoBot" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:42:16 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive [root@arslinux-01 ~]# curl -A "youdaoBotsdfsfs" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:43:25 GMT Content-Type: text/plain Content-Length: 5 Last-Modified: Thu, 16 May 2019 13:34:06 GMT Connection: keep-alive ETag: "5cdd66ce-5" Accept-Ranges: bytes
匹配了關鍵詞就會限制
·如果想忽略大小寫,那麼將 ~ 改爲 ~*·
[root@arslinux-01 ~]# curl -A "youdaoBotsdfsfs" -x127.0.0.1:80 test.com/upload/1.txt -I HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Thu, 16 May 2019 13:45:30 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive
小寫開頭的也被限制了
12.15 Nginx解析php相關配置
配置 php 解析
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
·保存後,暫時不重新加載配置,先創建一個新的php文件,內容自定,然後測試連接
[root@arslinux-01 ~]# vim /data/wwwroot/test.com/3.php <?php phpinfo(); [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php <?php phpinfo(); [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php (內容太多,不展示)
·如果配置文件中socket文件位置寫錯的話,會顯示502的錯誤
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:16:53 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive
·查看錯誤日誌:
[root@arslinux-01 ~]# tail /usr/local/nginx/logs/nginx_error.log 2019/05/16 22:16:53 [crit] 8261#0: *23 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com"
--可以看出是 .sock 文件位置不正確
--我們去查看php-fpm.conf的配置文件來查看.sock文件地址
[root@arslinux-01 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf [global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = /tmp/php-fcgi.sock listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
在 /tmp/php-fcgi.sock 下
·監聽 ip 和端口
--在php-fpm 配置中將監聽 socket 改爲 監聽 ip 和端口
[global] pid = /usr/local/php-fpm/var/run/php-fpm.pid error_log = /usr/local/php-fpm/var/log/php-fpm.log [www] listen = 127.0.0.1:9000 listen.mode = 666 user = php-fpm group = php-fpm pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 rlimit_files = 1024
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# /usr/local/php-fpm/sbin/php-fpm -t [16-May-2019 22:29:01] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@arslinux-01 ~]# /etc/init.d/php-fpm reload Reload service php-fpm done
[root@arslinux-01 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 8507/php-fpm: maste tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7497/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7477/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7803/master tcp6 0 0 :::3306 :::* LISTEN 7733/mysqld tcp6 0 0 :::22 :::* LISTEN 7477/sshd tcp6 0 0 ::1:25 :::* LISTEN 7803/master
127.0.0.1:9000 已經被監聽
--curl 依然是 502,查看錯誤日誌發現,還是 socket 不存在的問題
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:49:54 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive [root@arslinux-01 ~]# tail /usr/local/nginx/logs/nginx_error.log 2019/05/16 22:16:53 [crit] 8261#0: *23 connect() to unix:/tmp/php-cgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi.sock:", host: "test.com" 2019/05/16 22:49:54 [crit] 8495#0: *27 connect() to unix:/tmp/php-fcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com"
--將原先 socket 的位置改爲 127.0.0.1:9000,重新加載後再 curl
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 14:53:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.39
已經可以解析php了
(因此 php-fpm 中配置裏,和虛擬主機配置裏要一一對應,sock 對應 sock,端口對應端口)
★配置文件中的SCRIPT_FILENAME一定要和配置文件最上方的 root 對應的路徑一致:
·php-fpm.conf的配置中,listen.mode爲nginx的執行權限,讓nginx去讀/tmp/php-fcgi.sock
·如果沒有這個權限,那麼php-fcgi.sock的默認權限爲440,屬主和屬組都是root,而nginx屬主是nobody,無法讀取,因此會報錯,我們下面來試驗一下
·將php-fpm.conf 和 test.com.conf 都改爲監聽 socket
[root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 502 Bad Gateway Server: nginx/1.14.2 Date: Thu, 16 May 2019 15:09:45 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive
502錯誤,正式因爲權限問題
--而錯誤日誌中,也是Permission denied的錯誤了
[root@arslinux-01 ~]# tail -1 /usr/local/nginx/logs/nginx_error.log 2019/05/16 23:09:45 [crit] 8772#0: *43 connect() to unix:/tmp/php-fcgi.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "HEAD HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fcgi.sock:", host: "test.com" [root@arslinux-01 ~]# ll /tmp/php-fcgi.sock srw-rw---- 1 root root 0 5月 16 23:08 /tmp/php-fcgi.sock
nginx屬主爲nobody,對php-fcgi.sock沒有讀權限,所以會502錯誤,如果想正常訪問,那麼至少需要可讀可寫
--臨時將/tmp/php-fcgi.sock屬主改爲nobody,此時訪問不會出現502錯誤
[root@arslinux-01 ~]# chown nobody /tmp/php-fcgi.sock [root@arslinux-01 ~]# curl -x127.0.0.1:80 test.com/3.php -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 16 May 2019 15:12:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.6.39
因此,我們在/usr/local/php-fpm/etc/php-fpm.conf配置中的listen.mode要的權限要讓所有人對文件/tmp/php-fcgi.sock可讀可寫
·php-fpm資源耗盡也會出現502錯誤,此時需要去優化
參考:http://10717334.blog.51cto.com/10707334/169841
12.16 Nginx代理
1,用戶不能直接訪問Web服務器,Web服務器只有私網ip
2,雖然用戶可以訪問Web服務器,但是訪問速度太慢
編輯代理服務器配置文件
[root@arslinux-01 ~]# vim /usr/local/nginx/conf/vhost/proxy.conf server { listen 80; server_name ask.apelearn.com; location / { proxy_pass http://223.94.95.10/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
proxy_pass Web服務器IP地址
proxy_set_header Host 訪問的主機名/域名 ($HOST也就是server_name)
proxy_set_header X-Real-IP 指定IP的
[root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@arslinux-01 ~]# /usr/local/nginx/sbin/nginx -s reload [root@arslinux-01 ~]# curl ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@arslinux-01 ~]#
[root@arslinux-01 ~]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt # # robots.txt for MiWen # User-agent: * Disallow: /?/admin/ Disallow: /?/people/ Disallow: /?/question/ Disallow: /account/ Disallow: /app/ Disallow: /cache/ Disallow: /install/ Disallow: /models/ Disallow: /crond/run/ Disallow: /search/ Disallow: /static/ Disallow: /setting/ Disallow: /system/ Disallow: /tmp/ Disallow: /themes/ Disallow: /uploads/ Disallow: /url-* Disallow: /views/ Disallow: /*/ajax/[root@arslinux-01 ~]#
正常情況下,不配置代理,本地是無法訪問遠程站點的
而配置了代理之後,就可以本地訪問 web服務器
擴展
nginx.conf 配置詳解
https://coding.net/u/aminglinux/p/nginx/git/tree/master/3z
nginx rewrite四種flag
http://unixman.blog.51cto.com/10163040/1711943
https://coding.net/u/aminglinux/p/nginx/git/blob/master/rewrite/break.md
502問題彙總 http://ask.apelearn.com/question/9109
location優先級 https://coding.net/u/aminglinux/p/nginx/git/blob/master/location/priority.md